implementing a trustworthy electronic system · 3. if moving from an older system to a new one,...
TRANSCRIPT
Implementing a Trustworthy Electronic System
BY PILAR MCADAM, CRM PARTNER KAIZEN INFOSOURCE LLC
About Kaizen InfoSource, LLC
• Founded in 2009
• Provides nationwide consulting services • RIM Technology Selection/Implementation
• Governance
• Develops goals and direction
• Develops information governance • Enables effective/efficient implementation
of RIM technology
Legal Framework for Elimination of Paper
• 1999 – Government Paperwork Elimination Act
• 1999 – Uniform Electronic Transactions Act (UETA) • Adopted by 47 U.S. States, including California
(California Civil Code §1633.1 – 1633.17)
• 2000 – US Code 7001 – Validity of electronic transactions (ESIGN Act)
• U.S. states and most countries now recognize validity of electronic documents and transactions
Records Originating Electronically
If a record originates electronically:
• The electronic record is considered the original and official version
• No need to print it to paper to be retained
What is a trusted system?
Group Question
Scanned Hardcopies in Municipal Government
If a City record originates as a hardcopy, and is subsequently scanned: The hardcopy cannot be destroyed – and the
scanned version declared as the official version – without the approval of the legislative body unless the City has a “trusted system”
The documents in the trusted system are declared the official records by resolution
(ref: California Government Code 34090.5)
What is a Trusted System?
From CA Government Code §12168.7(b):
◦ … the Secretary of State … shall approve and adopt … the International Organization for Standardization TR 15801:2017 or successor standard, for storing and recording public records in electronic media or in a cloud computing storage service.
From CA Government Code §12168.7(c):
◦ …“trusted system” means a combination of technologies, policies, and procedures for which there is no plausible scenario in which a public record retrieved from or reproduced by the system could differ substantially from the public record that is originally stored.
Note that …
“Trusted system” is required if: •Declare a scanned image as the official version
AND
•Destroy hardcopy version without legislative approval
Not required if: •Municipality will retain hardcopies OR
• Each destruction of scanned hardcopies is approved by legislative body
The Standard, 2017
Intent of the Regulations
Cities should be able to demonstrate that scanned records are what they purport to be, that they cannot be altered, and that they are protected from tampering or premature destruction.
This seems reasonable,
right?
Trusted System • ”Certifies” that electronically stored information (ESI) is an authentic copy of the original document or information
• Will stand up to the rigors of an independent audit process that ensures that no plausible scenario for altering documents is feasible
• Requires that at least one copy of a stored electronic document or record is written that does not permit any unauthorized alterations or deletions and is stored and preserved in a separate and safe location
(Source: California Secretary of State website, https://www.sos.ca.gov/archives/records-management-and-appraisal/electronic-records/electronic-records-guidebook/trusted-systems/)
• Has your organization implemented a trusted system?
• If no, why not? • If yes, what did you learn?
Group Questions
Trusted versus Trustworthy
A Trusted System must comply with the ISO standard and be auditable to that standard
A Trustworthy System should consist of all reasonable hardware, software, and governance (rules) to assure trustworthy records
What Does Trustworthy Mean?
It works – it does what it was designed to do
You can apply controls, including governance
There are documented procedures for getting documents in, stored, and out
Routine disposition of obsolete documents
Protected and secured
Employees are trained and monitored
Kaizen’s approach to helping our
clients achieve “Trustworthy”
What Do We Mean by System
First: “system” vs “System”
system with small s = is the technology used to create, manage or serve as the repository for records
System with a big S = is the technology AND rules (governance) AND processes together, collectively, that comprise a trusted or trustworthy system
What’s So Difficult?
Decision-makers
•Don’t understand IT tools or business processes • Actual steps of procedures are not documented or
standardized
•Expect software, alone, to provide the necessary solution – magic
•Usually know that what they are currently doing isn’t enough, but … • Hesitate to make changes to processes or behavior • Change usually makes staff or officials uncomfortable
What’s So Difficult?, continued
Vendors • Don’t always tell the whole truth • “Yes, this software is a trusted system …”
• … which usually simply means that it: 1. Has a detailed audit trail, AND 2. Copies all records and documents to a separate, secure
storage device (write-once-ready-many - WORM – drive)
• “ … and look at what else it can do!”
• Software, alone, cannot be a trusted system
• Often don’t understand realities/culture of your workplace
• Their priorities are usually billable sales and services
What’s So Difficult?, continued
Consultants
• Cannot apply political/organizational/legislative pressure to make needed changes
• Often brought in after questionable decisions are already made
• Are usually short-term resource, while many issues require long-term solutions
What’s So Difficult?, continued
Internal Considerations
• People don’t like change – they resist it
• Those doing the work are often left out of decision-making that affects the work they do – changes may not meet their true needs
• Disruptions in daily work – while changes take place - are seen as an indication that something is wrong
• Unrealistic expectations – changes will happen quickly and be easy
• Staff turnover in IT causes loss of system knowledge
What You Need to Do
1. Define the rules first – Information Governance – for how records and information will be created, managed, and protected (policies)
2. Identify who can benefit (stakeholders)
3. Document the processes to be followed by employees (procedures, work instructions)
4. Train employees (and when you get tired, train them again)
5. Monitor and audit both the system (audit trails) and the procedures (what people do)
Identifying Stakeholders
Those you want on the team:
• Dept that wants technology to help fix a problem
• One or more with political capital to move the project forward (w/leadership and dept staff)
• Business functions that will use and support the system and technology, during and after implementation
• System owner (not IT)
• Records Manager or the person who has responsibility for Information Management
• The project’s sponsors
Exercise – 15 minutes
Identify the key people for the project team
What business processes might be good
candidates for change and use of
technology?
Opportunities for approval workflows
Automated assignment of retention and
security
Others?
What are potential benefits?
Governance Is Required
Define the classes of records – Retention Schedule
How long to retain them – Retention Schedule
How documents will be named – Naming Rules
The amount of structure that is needed – File Plans
How to index the documents – Metadata
Governance Is Required, continued
The processes employees will follow - Procedures, work instructions
Will it be a record? – Records vs. Non-Records
Automation of a sequence of steps – Workflows
Define rights to find, view, print, edit, or delete – Access/Security
Protection of PII – Sensitivity Classes, Protection
Using Cloud and Web Services
When you do not own the software or the processes, you cannot dictate how service provider operates • Software As A Service (SAAS) • Social Media
Contract terms and conditions can help, but enforcement is tricky
Most service providers have brought their security up to standard
Documentation Needed
Implementation Configuration specs (file plans, metadata standards) User acceptance testing scripts Administrator and user group rights and ownership
Post Implementation Procedure for getting hard copy documents into the file
plan Rules for moving documents, capturing metadata
from documents Procedure and schedule for dispositioning
obsolete documents Rules for adding/deleting users
What Training Is Needed
The City’s rules (governance) •Policy •Retention •Procedures (how people do things) •Process workflows (for automation)
Understanding and using the technology •Only what they need to know to use the
system
Encouraging a culture of compliance
Where to go for help
Essential Elements for Success
1. You must have a plan 2. Designate a business owner for the system 3. If moving from an older system to a new one,
move only needed records into the new system – stop the ability to keep putting records in old system
4. Don’t move everything 5. Assign someone to be the project manager 6. Plan for a two-to-three year budget 7. Keep it moving, but not too fast!
What steps would you include in your plan?
Group Question
1. Develop a Plan (and use it)
• If you fail to plan, you plan to fail
• Get ALL the stakeholders involved from the beginning
• Understand the organization’s direction and needs
• Understand the organization’s technology capability • Fancy systems sound great, but take resources
• Resource needs should fit your capabilities
• Know what the State of California expects of you
2. Business Owner for the System
• System will support business activities
• IT doesn’t own the business activities - no stake in its success
• Someone who benefits from the system needs to be responsible for it
3. Moving Data from Old Systems
If moving from an old system to a new one:
• Needed documents/data must be in the new system
• End users need to USE the new system to see value
• Not moving what you really need means you have to keep an old system alive - need to stop the ability to save to old system
• Inefficient for searches – have to look in multiple places
• Prevents linking with Public Portal
4. Don’t Move Everything
• Moving obsolete data is wasteful and risky
• Keeping obsolete data exposes it to public records requests or FOIA
• More to preserve if under legal holds
• What is the right amount? Depends on use and the business
• Anything within one year of aging out should be left on old system and deleted at close of project
5. Assign a Project Manager
Project Managers • Keep the project moving to completion
• Manage the timing, schedules, and activities
• Conduit for communication
If working with a vendor, they will have their own project manager • A vendor Project Manager is not an advocate for
your organization
• Will push to move at the pace that is best for them, not necessarily for you
6. Budget for 2 to 3 Years Implementing – or upgrading – a trustworthy system takes time • Defining requirements and writing procedures
• Selecting and installing the right tool (and vendor)
• Configuring tool to meet needs
• Moving documents in • From old system
• Electronic documents from various locations
• Via scanning projects
• Training
• Adjusting/improving
7. Move at the Right Pace • Move too fast and things get missed
• Move too slow and risk loosing momentum and support
• Develop a timeline • Figure out the right sequence
• Identify how steps may affect each other (dependencies)
• Will work processes need to change?
• Will other systems be impacted?
• Managers want to know how this will impact their staff and how long changes will take – stay on target
Image Storage or ECM?
Image storage systems provide a repository for scanned documents with few additional features • Lower cost • Simpler configuration
Image Storage or ECM?
Electronic content management (ECM) systems have more capabilities, such as:
• Ability to apply business rules (e.g., retention, security) to documents
• Enhanced searches and reporting, whether of documents by name or for text within documents
• Automate business workflows (e.g., routing and approvals) • Detailed audit trails (to track who accesses and what
happens to a document) • Integration with other enterprise systems (e.g., Finance) • Design electronic forms – both internal and for the public • Provide a public portal
ECM Considerations
• Costs higher than image storage systems • Costs can vary widely • Most ECM capabilities are priced as individual modules • Can add modules over time
• Need more support from internal staff and from vendors
• Provide opportunities to simplify business processes
• Takes longer to fully implement (2 – 3 years) • Important to know your long-range goal
ECM Considerations, continued
• Professional services costs from vendor • At least 1/3 of total project cost • Can be 2 to 3 times the cost of the software (depending
on what you want vendor to do) • Budget for extra hours in the first 1 – 2 years (for
technical adjustments)
• When business processes change, it takes more time • Staff must learn to do things differently • Cannot implement multiple process changes at the
same time
ECM Considerations, continued
• Use the technology to perform tasks differently • It can do more • Change the way you work
• Golden opportunity to find ways to work smarter
• Be very careful not to simply automate a task that’s “… always been done that way” • Too often, the way things have “… always been done”
are not the only way, or the best way, to do them
Whether Image Storage or ECM
Decisions and rules still needed • Naming conventions • File/folder structure • Metadata/indexing standards • Security/access rights
Training, support and resources still needed • How to use tools • Where to get help
The 5-Step Approach to Implementing a System
1. Build the new environment that will be the records repository – allowing for “working” area elsewhere
2. Day forward – from the first day all records go into new repository – STOP allowing records to go into old repository (or shared drives, etc.)
3. Move only needed documents/records 4. Delete obsolete records from old system 5. If there are still records in an old system, let them
age out, but block from adding new documents
Summary
Do you want Trusted System, or will a trustworthy system meet your needs?
For a Trusted System, all of the California regulation requirements must be met (but the audit component is problematic)
Regardless Establish governance Use software that can meet governance requirements Document procedures Train staff to follow procedures
Thank You! Questions